Krebs on Security

In-depth security news and investigation

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

According to Michaels, the affected systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. The company says there is no evidence that other customer personal information, such as name, address or debit card PIN, was at risk in connection with this issue.

The company’s statement says the attack on Michaels’ targeted “a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014.”

“Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue,” the statement continues. “The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7% of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com.”

Regarding Aaron Brothers, Michaels Stores said it has confirmed that between June 26, 2013 and February 27, 2014, 54 Aaron Brothers stores were affected by this malware, noting that the locations for each affected Aaron Brothers store are listed on www.aaronbrothers.com.

“The Company estimates that approximately 400,000 cards were potentially impacted during this period. The Company has received a limited number of reports from the payment card brands and banks of fraudulent use of payment cards potentially connected to Michaels or Aaron Brothers.”

This incident marks the second time in three years that Michaels Stores has wrestled with a widespread compromise of its payment card systems. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.

Michaels says that while the Company has received limited reports of fraud, it is offering identity protection,credit monitoring and fraud assistance services through AllClear ID to affectedMichaels and Aaron Brothers customers in the U.S. for 12 monthsat no cost to them. Details of the services and additional information related to the ongoing investigation are available on the Michaels and Aaron Brothers websites at www.michaels.com and www.aaronbrothers.com.

Incidentally, credit monitoring services will do nothing to protect consumers from fraud on existing financial accounts — such as credit and debit cards — and they’re not great at stopping new account fraud committed in your name. The most you can hope for with these services is that they alert you as quickly as possible after identity thieves have opened or attempted to open new accounts in your name.

As I noted in a recent story about the credit monitoring industry, the offering of these services has become the de facto public response for companies that experience a data breach, whether or not that breach resulted in the loss of personal information that could lead to actual identity theft (as opposed to mere credit card fraud). For more information about the limitations of credit monitoring services and more proactive steps that you can take to better protect your identity and credit file, check out this story.

This entry was posted on Thursday, April 17th, 2014 at 5:19 pm and is filed under Other.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

75 comments

I wished all of the US congress were victims of these attacks and the financial institutions didn’t have to pay the piper when they get whacked.

All I know is the present system is broken and the only way to fix it is get some seed money for people to come up with ideas to fix the present problems. Chip & Pin has problems. So does IPv6. How do you implement a firewall in a bridge like device? Routers, TOR, and internet proxies hide your IPv4 address because every time you go through them the IPv4 address changes. I wonder just how many devices can be safe “out there” all the time. That is really what IPv6 means.

In the mean-time even Linux does not allow memory scraping (but along with almost any other OS out there allows you to screw up on memory on the heap ala HeartBleed):

Just chop off voodoo.txt to see the folder contents. I am NOT saying use Linux. I think POS needs a special purpose OS built with security in mind.

All I am saying is that it is going to take a good deal of thought to deal with this problem.
It isn’t going to be fixed in a day and there is no magic bullet. E.g., just switching to Linux for a POS isn’t going to solve the problem. Well, it may have prevented this from happening but that alone is no longer good enough.

I’ve also used a bank debit card at Michaels over the past month. It was NOT the card that I’d used previously. The POS hardware at this Michaels store was unchanged. Fortunately, a daily check of all bank transactions allowed us to report it to the bank and recover a small loss. The fraudulent use of the card occurred outside of the U.S.